[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?

Harald Hannelius harald+samba at arcada.fi
Thu Jun 4 14:07:07 UTC 2020

On Thu, 4 Jun 2020, Rowland penny via samba wrote:
> On 04/06/2020 14:46, Harald Hannelius via samba wrote:
>> So the best way for me would be to implement the RFC2307/SFU schema in the 
>> Windows AD "AD", add the same uidNumber for every user in "AD" as they had 
>> in the old "Samba" domain, and then just join the fileservers to the "AD" 
>> domain?
>> Then I change the map-range to be like it was for the "SAD" domain.
>> It's more like migrating filesystems with users and groups tied to files 
>> than just migrating users.
> Yes you could do that, but don't forget groups as well and if you do not have 
> any groups (usergroups count as no groups), ensure that Domain Users has a 
> gidNumber inside whatever range you end up with.

Ouch. I forgot my groups. Have to calculate them in as well.

And another ouch is I would not be able to utilize my Samba AD which I like 
much better than the Windows version.

If I remember correctly, there's no additional idmap range for groups but 
they are rather inside the same numeric range as users in AD? So I now have 
duplicate idmap numbers because they originate from users and groups?

I appreciate your help.


Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list